show image

Securing the shifting network perimeter

In today’s dynamic business landscape, CISOs and security practitioners need to work overtime to secure the network. Yet the trusted network perimeter has shifted. Cloud services, employee mobility, and increased inter-organisation collaboration has rendered it virtually meaningless.

A new network security model, a “software-defined perimeter”, is needed. This model eliminates the idea of a trusted network inside (or outside) the corporate perimeter.

Network security is struggling to keep up

The enterprise has changed – it’s no longer static. It’s dynamic. It’s no longer on-premises. It’s hybrid.

Data stored in physical servers has been replaced by virtual ones, housed in centres owned and controlled by third parties. The desktop PC still exists, yet it’s surrounded by tiny mobile devices capable of carrying terabytes of data. Teams in multiple time zones can collaborate as if sitting mere inches away from one another. Even the workforce is no longer confined to a desk within an office. Employees are free to connect from anywhere – home, coffee shops, or airport lounges.

While these flexible working practices have delivered increased collaboration and productivity, they’re a nightmare for the security teams tasked with securing the data and applications stored on the network.

The entry point for nearly all attacks is often a vulnerability on a network end-point. These attacks can be a result of software or human error – like clicking on a phishing link. In either case they have been proven to be very effective. Savvy criminals use port scanning for externally facing resources to identify easily exploitable vulnerabilities that allow lateral movement across the network, or access to another infrastructure entirely.

Malicious individuals have discovered that, when pushing hard enough on virtual doors, they’ll get in. And they are then left free to ‘wander’ the network, stealing data and monetising it for their gain.

Traditional network security tools – firewalls, VPNs, NACs – struggle to manage and secure these hybrid environments.

Organisations need to implement a new model that dynamically creates one to one network connections between users and the data they access.

The software-defined perimeter

Securing these numerous combinations requires an approach that goes beyond simple authentication and considers factors such as device integrity and real-time user context. Additional levels of control, including multi-factor authentication, need to be applied to certain business-critical applications.

That’s why the new security model gaining support is the software-defined perimeter (SDP). It effectively provides threat prevention by trusting no one. It is based on a least privilege model and, in tandem, provides operational efficiency to move at the speed of DevOps. The premise is simple – while you can’t secure what you can’t see, the converse is also true—you can’t hack what you can’t see.

SDP takes an ‘authenticate first, connect second’ stance that ensures only authorised users can connect to network resources. All endpoints attempting to access a given infrastructure are authenticated and authorised prior to being able to access any resources on the network. All unauthorised network resources are made invisible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorised or unauthenticated users.

These session-based connections are both temporary and dynamic—they are provisioned when needed, and then torn down to prevent unauthorised access. SDP obscures communication over these connections with strong encryption inclusive of robust key management capabilities.

If an authorised endpoint device should become infected, and a threat moves laterally to a server which the user is authorised to access, it will not be able to continue on discovering additional workloads to infect as other resources (including ports and protocols) are invisible. This containment to a single segment of connectivity prevents the ability of such threats to communicate with a remote command and control (C&C) server – locking them down and keeping the hackers out.

SDP gives organisations the flexibility to apply least privilege access controls to individual user application connections, effectively reducing the attack surface by making servers invisible to bad actors. It overcomes the constraints of traditional tools by effectively creating a dynamic, individualised perimeter for each user – a network segment of one.

Paul Campaniello is chief marketing officer of Cryptzone